2 * nat44_ei.c - nat44 endpoint dependent plugin
4 * Copyright (c) 2020 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 * License for the specific language governing permissions and limitations
18 #include <vnet/plugin/plugin.h>
19 #include <vpp/app/version.h>
21 #include <vnet/vnet.h>
22 #include <vnet/ip/ip.h>
23 #include <vnet/ip/ip4.h>
24 #include <vnet/ip/ip_table.h>
25 #include <vnet/ip/reass/ip4_sv_reass.h>
26 #include <vnet/fib/fib_table.h>
27 #include <vnet/fib/ip4_fib.h>
28 #include <vnet/plugin/plugin.h>
31 #include <nat/lib/log.h>
32 #include <nat/lib/nat_syslog.h>
33 #include <nat/lib/nat_inlines.h>
34 #include <nat/lib/ipfix_logging.h>
36 #include <nat/nat44-ei/nat44_ei_dpo.h>
37 #include <nat/nat44-ei/nat44_ei_inlines.h>
38 #include <nat/nat44-ei/nat44_ei.h>
40 nat44_ei_main_t nat44_ei_main;
42 extern vlib_node_registration_t nat44_ei_hairpinning_node;
43 extern vlib_node_registration_t
44 nat44_ei_in2out_hairpinning_finish_ip4_lookup_node;
45 extern vlib_node_registration_t
46 nat44_ei_in2out_hairpinning_finish_interface_output_node;
48 #define skip_if_disabled() \
51 nat44_ei_main_t *nm = &nat44_ei_main; \
52 if (PREDICT_FALSE (!nm->enabled)) \
57 #define fail_if_enabled() \
60 nat44_ei_main_t *nm = &nat44_ei_main; \
61 if (PREDICT_FALSE (nm->enabled)) \
63 nat44_ei_log_err ("plugin enabled"); \
64 return VNET_API_ERROR_FEATURE_ALREADY_ENABLED; \
69 #define fail_if_disabled() \
72 nat44_ei_main_t *nm = &nat44_ei_main; \
73 if (PREDICT_FALSE (!nm->enabled)) \
75 nat44_ei_log_err ("plugin disabled"); \
76 return VNET_API_ERROR_FEATURE_ALREADY_DISABLED; \
81 /* Hook up input features */
82 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
83 .arc_name = "ip4-unicast",
84 .node_name = "nat44-ei-classify",
85 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
86 "ip4-sv-reassembly-feature"),
88 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
89 .arc_name = "ip4-unicast",
90 .node_name = "nat44-ei-handoff-classify",
91 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
92 "ip4-sv-reassembly-feature"),
94 VNET_FEATURE_INIT (ip4_nat44_ei_in2out, static) = {
95 .arc_name = "ip4-unicast",
96 .node_name = "nat44-ei-in2out",
97 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
98 "ip4-sv-reassembly-feature"),
100 VNET_FEATURE_INIT (ip4_nat44_ei_out2in, static) = {
101 .arc_name = "ip4-unicast",
102 .node_name = "nat44-ei-out2in",
103 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
104 "ip4-sv-reassembly-feature",
105 "ip4-dhcp-client-detect"),
107 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_output, static) = {
108 .arc_name = "ip4-output",
109 .node_name = "nat44-ei-in2out-output",
110 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
111 "ip4-sv-reassembly-output-feature"),
113 VNET_FEATURE_INIT (ip4_nat44_ei_hairpinning, static) = {
114 .arc_name = "ip4-local",
115 .node_name = "nat44-ei-hairpinning",
116 .runs_before = VNET_FEATURES ("ip4-local-end-of-arc"),
118 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_worker_handoff, static) = {
119 .arc_name = "ip4-unicast",
120 .node_name = "nat44-ei-in2out-worker-handoff",
121 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
123 VNET_FEATURE_INIT (ip4_nat44_ei_out2in_worker_handoff, static) = {
124 .arc_name = "ip4-unicast",
125 .node_name = "nat44-ei-out2in-worker-handoff",
126 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
127 "ip4-dhcp-client-detect"),
129 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_output_worker_handoff, static) = {
130 .arc_name = "ip4-output",
131 .node_name = "nat44-ei-in2out-output-worker-handoff",
132 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
133 "ip4-sv-reassembly-output-feature"),
136 VLIB_PLUGIN_REGISTER () = {
137 .version = VPP_BUILD_VER,
138 .description = "IPv4 Endpoint-Independent NAT (NAT44 EI)",
141 #define foreach_nat44_ei_classify_error \
142 _ (NEXT_IN2OUT, "next in2out") \
143 _ (NEXT_OUT2IN, "next out2in") \
144 _ (FRAG_CACHED, "fragment cached")
148 #define _(sym, str) NAT44_EI_CLASSIFY_ERROR_##sym,
149 foreach_nat44_ei_classify_error
151 NAT44_EI_CLASSIFY_N_ERROR,
152 } nat44_ei_classify_error_t;
154 static char *nat44_ei_classify_error_strings[] = {
155 #define _(sym, string) string,
156 foreach_nat44_ei_classify_error
162 NAT44_EI_CLASSIFY_NEXT_IN2OUT,
163 NAT44_EI_CLASSIFY_NEXT_OUT2IN,
164 NAT44_EI_CLASSIFY_NEXT_DROP,
165 NAT44_EI_CLASSIFY_N_NEXT,
166 } nat44_ei_classify_next_t;
172 } nat44_ei_classify_trace_t;
174 void nat44_ei_add_del_addr_to_fib (ip4_address_t *addr, u8 p_len,
175 u32 sw_if_index, int is_add);
177 static void nat44_ei_worker_db_free (nat44_ei_main_per_thread_data_t *tnm);
179 static int nat44_ei_add_static_mapping_internal (
180 ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port,
181 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index, u32 flags,
182 ip4_address_t pool_addr, u8 *tag);
184 static int nat44_ei_del_static_mapping_internal (
185 ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port,
186 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index, u32 flags);
189 nat44_ei_port_is_used (nat44_ei_address_t *a, u8 proto, u16 port)
191 return clib_bitmap_get (a->busy_port_bitmap[proto], port);
195 nat44_ei_port_get (nat44_ei_address_t *a, u8 proto, u16 port)
197 ASSERT (!nat44_ei_port_is_used (a, proto, port));
198 a->busy_port_bitmap[proto] =
199 clib_bitmap_set (a->busy_port_bitmap[proto], port, 1);
203 nat44_ei_port_put (nat44_ei_address_t *a, u8 proto, u16 port)
205 ASSERT (nat44_ei_port_is_used (a, proto, port));
206 a->busy_port_bitmap[proto] =
207 clib_bitmap_set (a->busy_port_bitmap[proto], port, 0);
211 format_nat44_ei_classify_trace (u8 *s, va_list *args)
213 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
214 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
215 nat44_ei_classify_trace_t *t = va_arg (*args, nat44_ei_classify_trace_t *);
219 s = format (s, "nat44-ei-classify: fragment cached");
222 next = t->next_in2out ? "nat44-ei-in2out" : "nat44-ei-out2in";
223 s = format (s, "nat44-ei-classify: next %s", next);
229 static void nat44_ei_db_init (u32 translations, u32 translation_buckets,
232 static void nat44_ei_ip4_add_del_interface_address_cb (
233 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
234 u32 address_length, u32 if_address_index, u32 is_delete);
236 static void nat44_ei_ip4_add_del_addr_only_sm_cb (
237 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
238 u32 address_length, u32 if_address_index, u32 is_delete);
240 static void nat44_ei_update_outside_fib (ip4_main_t *im, uword opaque,
241 u32 sw_if_index, u32 new_fib_index,
245 nat44_ei_set_node_indexes (nat44_ei_main_t *nm, vlib_main_t *vm)
248 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-out2in");
249 nm->out2in_node_index = node->index;
250 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-in2out");
251 nm->in2out_node_index = node->index;
252 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-in2out-output");
253 nm->in2out_output_node_index = node->index;
257 nat44_ei_set_workers (uword *bitmap)
259 nat44_ei_main_t *nm = &nat44_ei_main;
262 if (nm->num_workers < 2)
263 return VNET_API_ERROR_FEATURE_DISABLED;
265 if (clib_bitmap_last_set (bitmap) >= nm->num_workers)
266 return VNET_API_ERROR_INVALID_WORKER;
268 vec_free (nm->workers);
269 clib_bitmap_foreach (i, bitmap)
271 vec_add1 (nm->workers, i);
272 nm->per_thread_data[nm->first_worker_index + i].snat_thread_index = j;
273 nm->per_thread_data[nm->first_worker_index + i].thread_index = i;
277 nm->port_per_thread = (0xffff - 1024) / _vec_len (nm->workers);
282 #define nat_validate_simple_counter(c, i) \
285 vlib_validate_simple_counter (&c, i); \
286 vlib_zero_simple_counter (&c, i); \
290 #define nat_init_simple_counter(c, n, sn) \
294 c.stat_segment_name = sn; \
295 nat_validate_simple_counter (c, 0); \
299 static_always_inline void
300 nat_validate_interface_counters (nat44_ei_main_t *nm, u32 sw_if_index)
303 nat_validate_simple_counter (nm->counters.fastpath.in2out.x, sw_if_index); \
304 nat_validate_simple_counter (nm->counters.fastpath.out2in.x, sw_if_index); \
305 nat_validate_simple_counter (nm->counters.slowpath.in2out.x, sw_if_index); \
306 nat_validate_simple_counter (nm->counters.slowpath.out2in.x, sw_if_index);
309 nat_validate_simple_counter (nm->counters.hairpinning, sw_if_index);
313 nat44_ei_add_del_addr_to_fib_foreach_out_if (ip4_address_t *addr, u8 is_add)
315 nat44_ei_main_t *nm = &nat44_ei_main;
316 nat44_ei_interface_t *i;
318 pool_foreach (i, nm->interfaces)
320 if (nat44_ei_interface_is_outside (i) && !nm->out2in_dpo)
322 nat44_ei_add_del_addr_to_fib (addr, 32, i->sw_if_index, is_add);
325 pool_foreach (i, nm->output_feature_interfaces)
327 if (nat44_ei_interface_is_outside (i) && !nm->out2in_dpo)
329 nat44_ei_add_del_addr_to_fib (addr, 32, i->sw_if_index, is_add);
334 static_always_inline void
335 nat44_ei_add_del_addr_to_fib_foreach_addr (u32 sw_if_index, u8 is_add)
337 nat44_ei_main_t *nm = &nat44_ei_main;
338 nat44_ei_address_t *ap;
340 vec_foreach (ap, nm->addresses)
342 nat44_ei_add_del_addr_to_fib (&ap->addr, 32, sw_if_index, is_add);
346 static_always_inline void
347 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (u32 sw_if_index, u8 is_add)
349 nat44_ei_main_t *nm = &nat44_ei_main;
350 nat44_ei_static_mapping_t *m;
352 pool_foreach (m, nm->static_mappings)
354 if (is_sm_addr_only (m->flags) &&
355 !(m->local_addr.as_u32 == m->external_addr.as_u32))
357 nat44_ei_add_del_addr_to_fib (&m->external_addr, 32, sw_if_index,
364 nat44_ei_is_address_used_in_static_mapping (ip4_address_t addr)
366 nat44_ei_main_t *nm = &nat44_ei_main;
367 nat44_ei_static_mapping_t *m;
368 pool_foreach (m, nm->static_mappings)
370 if (is_sm_addr_only (m->flags) || is_sm_identity_nat (m->flags))
374 if (m->external_addr.as_u32 == addr.as_u32)
383 nat44_ei_init (vlib_main_t *vm)
385 nat44_ei_main_t *nm = &nat44_ei_main;
386 vlib_thread_main_t *tm = vlib_get_thread_main ();
387 vlib_thread_registration_t *tr;
388 ip4_add_del_interface_address_callback_t cbi = { 0 };
389 ip4_table_bind_callback_t cbt = { 0 };
390 u32 i, num_threads = 0;
391 uword *p, *bitmap = 0;
393 clib_memset (nm, 0, sizeof (*nm));
396 nm->vnet_main = vnet_get_main ();
398 nm->ip4_main = &ip4_main;
399 nm->api_main = vlibapi_get_main ();
400 nm->ip4_lookup_main = &ip4_main.lookup_main;
403 nm->fq_out2in_index = ~0;
404 nm->fq_in2out_index = ~0;
405 nm->fq_in2out_output_index = ~0;
407 nm->log_level = NAT_LOG_ERROR;
409 nat44_ei_set_node_indexes (nm, vm);
410 nm->log_class = vlib_log_register_class ("nat44-ei", 0);
412 nat_init_simple_counter (nm->total_users, "total-users",
413 "/nat44-ei/total-users");
414 nat_init_simple_counter (nm->total_sessions, "total-sessions",
415 "/nat44-ei/total-sessions");
416 nat_init_simple_counter (nm->user_limit_reached, "user-limit-reached",
417 "/nat44-ei/user-limit-reached");
420 nat_init_simple_counter (nm->counters.fastpath.in2out.x, #x, \
421 "/nat44-ei/in2out/fastpath/" #x); \
422 nat_init_simple_counter (nm->counters.fastpath.out2in.x, #x, \
423 "/nat44-ei/out2in/fastpath/" #x); \
424 nat_init_simple_counter (nm->counters.slowpath.in2out.x, #x, \
425 "/nat44-ei/in2out/slowpath/" #x); \
426 nat_init_simple_counter (nm->counters.slowpath.out2in.x, #x, \
427 "/nat44-ei/out2in/slowpath/" #x);
430 nat_init_simple_counter (nm->counters.hairpinning, "hairpinning",
431 "/nat44-ei/hairpinning");
433 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
436 tr = (vlib_thread_registration_t *) p[0];
439 nm->num_workers = tr->count;
440 nm->first_worker_index = tr->first_index;
443 num_threads = tm->n_vlib_mains - 1;
444 nm->port_per_thread = 0xffff - 1024;
445 vec_validate (nm->per_thread_data, num_threads);
447 /* Use all available workers by default */
448 if (nm->num_workers > 1)
450 for (i = 0; i < nm->num_workers; i++)
451 bitmap = clib_bitmap_set (bitmap, i, 1);
452 nat44_ei_set_workers (bitmap);
453 clib_bitmap_free (bitmap);
457 nm->per_thread_data[0].snat_thread_index = 0;
460 /* callbacks to call when interface address changes. */
461 cbi.function = nat44_ei_ip4_add_del_interface_address_cb;
462 vec_add1 (nm->ip4_main->add_del_interface_address_callbacks, cbi);
463 cbi.function = nat44_ei_ip4_add_del_addr_only_sm_cb;
464 vec_add1 (nm->ip4_main->add_del_interface_address_callbacks, cbi);
466 /* callbacks to call when interface to table biding changes */
467 cbt.function = nat44_ei_update_outside_fib;
468 vec_add1 (nm->ip4_main->table_bind_callbacks, cbt);
470 nm->fib_src_low = fib_source_allocate (
471 "nat44-ei-low", FIB_SOURCE_PRIORITY_LOW, FIB_SOURCE_BH_SIMPLE);
472 nm->fib_src_hi = fib_source_allocate ("nat44-ei-hi", FIB_SOURCE_PRIORITY_HI,
473 FIB_SOURCE_BH_SIMPLE);
475 // used only by out2in-dpo feature
476 nat_dpo_module_init ();
477 nat_ha_init (vm, nm->num_workers, num_threads);
479 nm->hairpinning_fq_index =
480 vlib_frame_queue_main_init (nat44_ei_hairpinning_node.index, 0);
481 nm->in2out_hairpinning_finish_ip4_lookup_node_fq_index =
482 vlib_frame_queue_main_init (
483 nat44_ei_in2out_hairpinning_finish_ip4_lookup_node.index, 0);
484 nm->in2out_hairpinning_finish_interface_output_node_fq_index =
485 vlib_frame_queue_main_init (
486 nat44_ei_in2out_hairpinning_finish_interface_output_node.index, 0);
487 return nat44_ei_api_hookup (vm);
490 VLIB_INIT_FUNCTION (nat44_ei_init);
493 nat44_ei_plugin_enable (nat44_ei_config_t c)
495 nat44_ei_main_t *nm = &nat44_ei_main;
503 c.sessions = 10 * 1024;
505 if (!c.user_sessions)
506 c.user_sessions = c.sessions;
510 if (!nm->frame_queue_nelts)
511 nm->frame_queue_nelts = NAT_FQ_NELTS_DEFAULT;
513 nm->translations = c.sessions;
514 nm->translation_buckets = nat_calc_bihash_buckets (c.sessions);
515 nm->user_buckets = nat_calc_bihash_buckets (c.users);
517 nm->pat = (!c.static_mapping_only ||
518 (c.static_mapping_only && c.connection_tracking));
520 nm->static_mapping_only = c.static_mapping_only;
521 nm->static_mapping_connection_tracking = c.connection_tracking;
522 nm->out2in_dpo = c.out2in_dpo;
523 nm->forwarding_enabled = 0;
524 nm->mss_clamping = 0;
526 nm->max_users_per_thread = c.users;
527 nm->max_translations_per_thread = c.sessions;
528 nm->max_translations_per_user = c.user_sessions;
530 nm->inside_vrf_id = c.inside_vrf;
531 nm->inside_fib_index = fib_table_find_or_create_and_lock (
532 FIB_PROTOCOL_IP4, c.inside_vrf, nm->fib_src_hi);
534 nm->outside_vrf_id = c.outside_vrf;
535 nm->outside_fib_index = fib_table_find_or_create_and_lock (
536 FIB_PROTOCOL_IP4, c.outside_vrf, nm->fib_src_hi);
538 nat_reset_timeouts (&nm->timeouts);
539 nat44_ei_db_init (nm->translations, nm->translation_buckets,
541 nat44_ei_set_alloc_default ();
543 vlib_zero_simple_counter (&nm->total_users, 0);
544 vlib_zero_simple_counter (&nm->total_sessions, 0);
545 vlib_zero_simple_counter (&nm->user_limit_reached, 0);
547 if (nm->num_workers > 1)
549 if (nm->fq_in2out_index == ~0)
551 nm->fq_in2out_index = vlib_frame_queue_main_init (
552 nm->in2out_node_index, nm->frame_queue_nelts);
554 if (nm->fq_out2in_index == ~0)
556 nm->fq_out2in_index = vlib_frame_queue_main_init (
557 nm->out2in_node_index, nm->frame_queue_nelts);
559 if (nm->fq_in2out_output_index == ~0)
561 nm->fq_in2out_output_index = vlib_frame_queue_main_init (
562 nm->in2out_output_node_index, nm->frame_queue_nelts);
572 static_always_inline nat44_ei_outside_fib_t *
573 nat44_ei_get_outside_fib (nat44_ei_outside_fib_t *outside_fibs, u32 fib_index)
575 nat44_ei_outside_fib_t *f;
576 vec_foreach (f, outside_fibs)
578 if (f->fib_index == fib_index)
586 static_always_inline nat44_ei_interface_t *
587 nat44_ei_get_interface (nat44_ei_interface_t *interfaces, u32 sw_if_index)
589 nat44_ei_interface_t *i;
590 pool_foreach (i, interfaces)
592 if (i->sw_if_index == sw_if_index)
600 static_always_inline int
601 nat44_ei_hairpinning_enable (u8 is_enable)
603 nat44_ei_main_t *nm = &nat44_ei_main;
604 u32 sw_if_index = 0; // local0
608 nm->hairpin_reg += 1;
609 if (1 == nm->hairpin_reg)
611 return vnet_feature_enable_disable (
612 "ip4-local", "nat44-ei-hairpinning", sw_if_index, is_enable, 0, 0);
617 if (0 == nm->hairpin_reg)
620 nm->hairpin_reg -= 1;
621 if (0 == nm->hairpin_reg)
623 return vnet_feature_enable_disable (
624 "ip4-local", "nat44-ei-hairpinning", sw_if_index, is_enable, 0, 0);
632 nat44_ei_add_interface (u32 sw_if_index, u8 is_inside)
634 const char *feature_name, *del_feature_name;
635 nat44_ei_main_t *nm = &nat44_ei_main;
637 nat44_ei_outside_fib_t *outside_fib;
638 nat44_ei_interface_t *i;
644 if (nm->out2in_dpo && !is_inside)
646 nat44_ei_log_err ("error unsupported");
647 return VNET_API_ERROR_UNSUPPORTED;
650 if (nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index))
652 nat44_ei_log_err ("error interface already configured");
653 return VNET_API_ERROR_VALUE_EXIST;
656 i = nat44_ei_get_interface (nm->interfaces, sw_if_index);
659 if ((nat44_ei_interface_is_inside (i) && is_inside) ||
660 (nat44_ei_interface_is_outside (i) && !is_inside))
664 if (nm->num_workers > 1)
666 del_feature_name = !is_inside ? "nat44-ei-in2out-worker-handoff" :
667 "nat44-ei-out2in-worker-handoff";
668 feature_name = "nat44-ei-handoff-classify";
673 !is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
675 feature_name = "nat44-ei-classify";
678 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
683 rv = vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
684 sw_if_index, 0, 0, 0);
689 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
690 sw_if_index, 1, 0, 0);
697 rv = nat44_ei_hairpinning_enable (0);
706 if (nm->num_workers > 1)
708 feature_name = is_inside ? "nat44-ei-in2out-worker-handoff" :
709 "nat44-ei-out2in-worker-handoff";
713 feature_name = is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
715 nat_validate_interface_counters (nm, sw_if_index);
717 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
722 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
723 sw_if_index, 1, 0, 0);
728 if (is_inside && !nm->out2in_dpo)
730 rv = nat44_ei_hairpinning_enable (1);
737 pool_get (nm->interfaces, i);
738 i->sw_if_index = sw_if_index;
743 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
747 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
749 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
752 outside_fib->refcount++;
756 vec_add2 (nm->outside_fibs, outside_fib, 1);
757 outside_fib->fib_index = fib_index;
758 outside_fib->refcount = 1;
761 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
762 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
766 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
773 nat44_ei_del_interface (u32 sw_if_index, u8 is_inside)
775 const char *feature_name, *del_feature_name;
776 nat44_ei_main_t *nm = &nat44_ei_main;
778 nat44_ei_outside_fib_t *outside_fib;
779 nat44_ei_interface_t *i;
785 if (nm->out2in_dpo && !is_inside)
787 nat44_ei_log_err ("error unsupported");
788 return VNET_API_ERROR_UNSUPPORTED;
791 i = nat44_ei_get_interface (nm->interfaces, sw_if_index);
794 nat44_ei_log_err ("error interface couldn't be found");
795 return VNET_API_ERROR_NO_SUCH_ENTRY;
798 if (nat44_ei_interface_is_inside (i) && nat44_ei_interface_is_outside (i))
800 if (nm->num_workers > 1)
802 del_feature_name = "nat44-ei-handoff-classify";
803 feature_name = !is_inside ? "nat44-ei-in2out-worker-handoff" :
804 "nat44-ei-out2in-worker-handoff";
808 del_feature_name = "nat44-ei-classify";
809 feature_name = !is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
812 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
817 rv = vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
818 sw_if_index, 0, 0, 0);
823 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
824 sw_if_index, 1, 0, 0);
831 i->flags &= ~NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
835 rv = nat44_ei_hairpinning_enable (1);
840 i->flags &= ~NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
845 if (nm->num_workers > 1)
847 feature_name = is_inside ? "nat44-ei-in2out-worker-handoff" :
848 "nat44-ei-out2in-worker-handoff";
852 feature_name = is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
855 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
860 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
861 sw_if_index, 0, 0, 0);
868 rv = nat44_ei_hairpinning_enable (0);
876 pool_put (nm->interfaces, i);
882 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
883 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
886 outside_fib->refcount--;
887 if (!outside_fib->refcount)
889 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
893 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 0);
894 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 0);
901 nat44_ei_add_output_interface (u32 sw_if_index)
903 nat44_ei_main_t *nm = &nat44_ei_main;
905 nat44_ei_outside_fib_t *outside_fib;
906 nat44_ei_interface_t *i;
912 if (nat44_ei_get_interface (nm->interfaces, sw_if_index))
914 nat44_ei_log_err ("error interface already configured");
915 return VNET_API_ERROR_VALUE_EXIST;
918 if (nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index))
920 nat44_ei_log_err ("error interface already configured");
921 return VNET_API_ERROR_VALUE_EXIST;
924 if (nm->num_workers > 1)
926 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
931 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
936 rv = vnet_feature_enable_disable (
937 "ip4-unicast", "nat44-ei-out2in-worker-handoff", sw_if_index, 1, 0, 0);
942 rv = vnet_feature_enable_disable (
943 "ip4-output", "nat44-ei-in2out-output-worker-handoff", sw_if_index, 1,
952 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
957 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
962 rv = vnet_feature_enable_disable ("ip4-unicast", "nat44-ei-out2in",
963 sw_if_index, 1, 0, 0);
968 rv = vnet_feature_enable_disable ("ip4-output", "nat44-ei-in2out-output",
969 sw_if_index, 1, 0, 0);
976 nat_validate_interface_counters (nm, sw_if_index);
978 pool_get (nm->output_feature_interfaces, i);
979 i->sw_if_index = sw_if_index;
981 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
982 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
985 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
986 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
989 outside_fib->refcount++;
993 vec_add2 (nm->outside_fibs, outside_fib, 1);
994 outside_fib->fib_index = fib_index;
995 outside_fib->refcount = 1;
998 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
999 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
1005 nat44_ei_del_output_interface (u32 sw_if_index)
1007 nat44_ei_main_t *nm = &nat44_ei_main;
1009 nat44_ei_outside_fib_t *outside_fib;
1010 nat44_ei_interface_t *i;
1014 fail_if_disabled ();
1016 i = nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index);
1019 nat44_ei_log_err ("error interface couldn't be found");
1020 return VNET_API_ERROR_NO_SUCH_ENTRY;
1023 if (nm->num_workers > 1)
1025 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1030 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1035 rv = vnet_feature_enable_disable (
1036 "ip4-unicast", "nat44-ei-out2in-worker-handoff", sw_if_index, 0, 0, 0);
1041 rv = vnet_feature_enable_disable (
1042 "ip4-output", "nat44-ei-in2out-output-worker-handoff", sw_if_index, 0,
1051 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1056 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1061 rv = vnet_feature_enable_disable ("ip4-unicast", "nat44-ei-out2in",
1062 sw_if_index, 0, 0, 0);
1067 rv = vnet_feature_enable_disable ("ip4-output", "nat44-ei-in2out-output",
1068 sw_if_index, 0, 0, 0);
1075 pool_put (nm->output_feature_interfaces, i);
1078 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1079 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
1082 outside_fib->refcount--;
1083 if (!outside_fib->refcount)
1085 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
1089 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 0);
1090 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 0);
1096 nat44_ei_add_del_output_interface (u32 sw_if_index, int is_del)
1100 return nat44_ei_del_output_interface (sw_if_index);
1104 return nat44_ei_add_output_interface (sw_if_index);
1109 nat44_ei_del_addresses ()
1111 nat44_ei_main_t *nm = &nat44_ei_main;
1112 nat44_ei_address_t *a, *vec;
1115 vec = vec_dup (nm->addresses);
1116 vec_foreach (a, vec)
1118 error = nat44_ei_del_address (a->addr, 0);
1122 nat44_ei_log_err ("error occurred while removing adderess");
1126 vec_free (nm->addresses);
1129 vec_free (nm->auto_add_sw_if_indices);
1130 nm->auto_add_sw_if_indices = 0;
1135 nat44_ei_del_interfaces ()
1137 nat44_ei_main_t *nm = &nat44_ei_main;
1138 nat44_ei_interface_t *i, *pool;
1141 pool = pool_dup (nm->interfaces);
1142 pool_foreach (i, pool)
1144 if (nat44_ei_interface_is_inside (i))
1146 error = nat44_ei_del_interface (i->sw_if_index, 1);
1148 if (nat44_ei_interface_is_outside (i))
1150 error = nat44_ei_del_interface (i->sw_if_index, 0);
1155 nat44_ei_log_err ("error occurred while removing interface");
1159 pool_free (nm->interfaces);
1165 nat44_ei_del_output_interfaces ()
1167 nat44_ei_main_t *nm = &nat44_ei_main;
1168 nat44_ei_interface_t *i, *pool;
1171 pool = pool_dup (nm->output_feature_interfaces);
1172 pool_foreach (i, pool)
1174 error = nat44_ei_del_output_interface (i->sw_if_index);
1177 nat44_ei_log_err ("error occurred while removing output interface");
1181 pool_free (nm->output_feature_interfaces);
1182 nm->output_feature_interfaces = 0;
1187 nat44_ei_del_static_mappings ()
1189 nat44_ei_main_t *nm = &nat44_ei_main;
1190 nat44_ei_static_mapping_t *m, *pool;
1193 pool = pool_dup (nm->static_mappings);
1194 pool_foreach (m, pool)
1196 error = nat44_ei_del_static_mapping_internal (
1197 m->local_addr, m->external_addr, m->local_port, m->external_port,
1198 m->proto, m->vrf_id, ~0, m->flags);
1201 nat44_ei_log_err ("error occurred while removing mapping");
1205 pool_free (nm->static_mappings);
1206 nm->static_mappings = 0;
1208 vec_free (nm->to_resolve);
1211 clib_bihash_free_8_8 (&nm->static_mapping_by_local);
1212 clib_bihash_free_8_8 (&nm->static_mapping_by_external);
1218 nat44_ei_plugin_disable ()
1220 nat44_ei_main_t *nm = &nat44_ei_main;
1221 nat44_ei_main_per_thread_data_t *tnm;
1224 fail_if_disabled ();
1228 rc = nat44_ei_del_static_mappings ();
1230 error = VNET_API_ERROR_BUG;
1232 rc = nat44_ei_del_addresses ();
1234 error = VNET_API_ERROR_BUG;
1236 rc = nat44_ei_del_interfaces ();
1238 error = VNET_API_ERROR_BUG;
1240 rc = nat44_ei_del_output_interfaces ();
1242 error = VNET_API_ERROR_BUG;
1246 clib_bihash_free_8_8 (&nm->in2out);
1247 clib_bihash_free_8_8 (&nm->out2in);
1249 vec_foreach (tnm, nm->per_thread_data)
1251 nat44_ei_worker_db_free (tnm);
1255 clib_memset (&nm->rconfig, 0, sizeof (nm->rconfig));
1257 nm->forwarding_enabled = 0;
1264 nat44_ei_set_outside_address_and_port (nat44_ei_address_t *addresses,
1265 u32 thread_index, ip4_address_t addr,
1266 u16 port, nat_protocol_t protocol)
1268 nat44_ei_address_t *a = 0;
1270 u16 port_host_byte_order = clib_net_to_host_u16 (port);
1272 for (address_index = 0; address_index < vec_len (addresses); address_index++)
1274 if (addresses[address_index].addr.as_u32 != addr.as_u32)
1277 a = addresses + address_index;
1278 if (nat44_ei_port_is_used (a, protocol, port_host_byte_order))
1279 return VNET_API_ERROR_INSTANCE_IN_USE;
1281 nat44_ei_port_get (a, protocol, port_host_byte_order);
1282 a->busy_ports_per_thread[protocol][thread_index]++;
1283 a->busy_ports[protocol]++;
1287 return VNET_API_ERROR_NO_SUCH_ENTRY;
1291 nat44_ei_add_del_address_dpo (ip4_address_t addr, u8 is_add)
1293 nat44_ei_main_t *nm = &nat44_ei_main;
1294 dpo_id_t dpo_v4 = DPO_INVALID;
1295 fib_prefix_t pfx = {
1296 .fp_proto = FIB_PROTOCOL_IP4,
1298 .fp_addr.ip4.as_u32 = addr.as_u32,
1303 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
1304 fib_table_entry_special_dpo_add (0, &pfx, nm->fib_src_hi,
1305 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
1306 dpo_reset (&dpo_v4);
1310 fib_table_entry_special_remove (0, &pfx, nm->fib_src_hi);
1315 nat44_ei_free_outside_address_and_port (nat44_ei_address_t *addresses,
1316 u32 thread_index, ip4_address_t *addr,
1317 u16 port, nat_protocol_t protocol)
1319 nat44_ei_address_t *a;
1321 u16 port_host_byte_order = clib_net_to_host_u16 (port);
1323 for (address_index = 0; address_index < vec_len (addresses); address_index++)
1325 if (addresses[address_index].addr.as_u32 == addr->as_u32)
1329 ASSERT (address_index < vec_len (addresses));
1331 a = addresses + address_index;
1332 nat44_ei_port_put (a, protocol, port_host_byte_order);
1333 a->busy_ports[protocol]--;
1334 a->busy_ports_per_thread[protocol][thread_index]--;
1338 nat44_ei_free_session_data_v2 (nat44_ei_main_t *nm, nat44_ei_session_t *s,
1339 u32 thread_index, u8 is_ha)
1341 clib_bihash_kv_8_8_t kv;
1343 /* session lookup tables */
1344 init_nat_i2o_k (&kv, s);
1345 if (clib_bihash_add_del_8_8 (&nm->in2out, &kv, 0))
1346 nat_elog_warn (nm, "in2out key del failed");
1347 init_nat_o2i_k (&kv, s);
1348 if (clib_bihash_add_del_8_8 (&nm->out2in, &kv, 0))
1349 nat_elog_warn (nm, "out2in key del failed");
1352 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
1353 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
1354 s->out2in.port, s->nat_proto);
1356 if (nat44_ei_is_unk_proto_session (s))
1362 nat_ipfix_logging_nat44_ses_delete (
1363 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
1364 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
1365 s->in2out.fib_index);
1367 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
1368 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
1372 if (nat44_ei_is_session_static (s))
1375 nat44_ei_free_outside_address_and_port (nm->addresses, thread_index,
1376 &s->out2in.addr, s->out2in.port,
1381 nat44_ei_user_get_or_create (nat44_ei_main_t *nm, ip4_address_t *addr,
1382 u32 fib_index, u32 thread_index)
1384 nat44_ei_user_t *u = 0;
1385 nat44_ei_user_key_t user_key;
1386 clib_bihash_kv_8_8_t kv, value;
1387 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1388 dlist_elt_t *per_user_list_head_elt;
1390 user_key.addr.as_u32 = addr->as_u32;
1391 user_key.fib_index = fib_index;
1392 kv.key = user_key.as_u64;
1394 /* Ever heard of the "user" = src ip4 address before? */
1395 if (clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1397 if (pool_elts (tnm->users) >= nm->max_users_per_thread)
1399 vlib_increment_simple_counter (&nm->user_limit_reached, thread_index,
1401 nat_elog_warn (nm, "maximum user limit reached");
1404 /* no, make a new one */
1405 pool_get (tnm->users, u);
1406 clib_memset (u, 0, sizeof (*u));
1408 u->addr.as_u32 = addr->as_u32;
1409 u->fib_index = fib_index;
1411 pool_get (tnm->list_pool, per_user_list_head_elt);
1413 u->sessions_per_user_list_head_index =
1414 per_user_list_head_elt - tnm->list_pool;
1416 clib_dlist_init (tnm->list_pool, u->sessions_per_user_list_head_index);
1418 kv.value = u - tnm->users;
1421 if (clib_bihash_add_del_8_8 (&tnm->user_hash, &kv, 1))
1423 nat_elog_warn (nm, "user_hash key add failed");
1424 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
1428 vlib_set_simple_counter (&nm->total_users, thread_index, 0,
1429 pool_elts (tnm->users));
1433 u = pool_elt_at_index (tnm->users, value.value);
1439 nat44_ei_session_t *
1440 nat44_ei_session_alloc_or_recycle (nat44_ei_main_t *nm, nat44_ei_user_t *u,
1441 u32 thread_index, f64 now)
1443 nat44_ei_session_t *s;
1444 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1445 u32 oldest_per_user_translation_list_index, session_index;
1446 dlist_elt_t *oldest_per_user_translation_list_elt;
1447 dlist_elt_t *per_user_translation_list_elt;
1449 /* Over quota? Recycle the least recently used translation */
1450 if ((u->nsessions + u->nstaticsessions) >= nm->max_translations_per_user)
1452 oldest_per_user_translation_list_index = clib_dlist_remove_head (
1453 tnm->list_pool, u->sessions_per_user_list_head_index);
1455 ASSERT (oldest_per_user_translation_list_index != ~0);
1457 /* Add it back to the end of the LRU list */
1458 clib_dlist_addtail (tnm->list_pool, u->sessions_per_user_list_head_index,
1459 oldest_per_user_translation_list_index);
1460 /* Get the list element */
1461 oldest_per_user_translation_list_elt = pool_elt_at_index (
1462 tnm->list_pool, oldest_per_user_translation_list_index);
1464 /* Get the session index from the list element */
1465 session_index = oldest_per_user_translation_list_elt->value;
1467 /* Get the session */
1468 s = pool_elt_at_index (tnm->sessions, session_index);
1470 nat44_ei_free_session_data_v2 (nm, s, thread_index, 0);
1471 if (nat44_ei_is_session_static (s))
1472 u->nstaticsessions--;
1479 s->ext_host_addr.as_u32 = 0;
1480 s->ext_host_port = 0;
1481 s->ext_host_nat_addr.as_u32 = 0;
1482 s->ext_host_nat_port = 0;
1486 pool_get (tnm->sessions, s);
1487 clib_memset (s, 0, sizeof (*s));
1489 /* Create list elts */
1490 pool_get (tnm->list_pool, per_user_translation_list_elt);
1491 clib_dlist_init (tnm->list_pool,
1492 per_user_translation_list_elt - tnm->list_pool);
1494 per_user_translation_list_elt->value = s - tnm->sessions;
1495 s->per_user_index = per_user_translation_list_elt - tnm->list_pool;
1496 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
1498 clib_dlist_addtail (tnm->list_pool, s->per_user_list_head_index,
1499 per_user_translation_list_elt - tnm->list_pool);
1501 s->user_index = u - tnm->users;
1502 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
1503 pool_elts (tnm->sessions));
1506 s->ha_last_refreshed = now;
1512 nat44_ei_free_session_data (nat44_ei_main_t *nm, nat44_ei_session_t *s,
1513 u32 thread_index, u8 is_ha)
1515 clib_bihash_kv_8_8_t kv;
1517 init_nat_i2o_k (&kv, s);
1518 if (clib_bihash_add_del_8_8 (&nm->in2out, &kv, 0))
1519 nat_elog_warn (nm, "in2out key del failed");
1521 init_nat_o2i_k (&kv, s);
1522 if (clib_bihash_add_del_8_8 (&nm->out2in, &kv, 0))
1523 nat_elog_warn (nm, "out2in key del failed");
1527 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
1528 &s->in2out.addr, s->in2out.port,
1529 &s->out2in.addr, s->out2in.port, s->nat_proto);
1531 nat_ipfix_logging_nat44_ses_delete (
1532 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
1533 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
1534 s->in2out.fib_index);
1536 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
1537 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
1541 if (nat44_ei_is_session_static (s))
1544 nat44_ei_free_outside_address_and_port (nm->addresses, thread_index,
1545 &s->out2in.addr, s->out2in.port,
1549 static_always_inline void
1550 nat44_ei_user_del_sessions (nat44_ei_user_t *u, u32 thread_index)
1553 nat44_ei_session_t *s;
1555 nat44_ei_main_t *nm = &nat44_ei_main;
1556 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1560 pool_elt_at_index (tnm->list_pool, u->sessions_per_user_list_head_index);
1561 // get first element
1562 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1564 while (elt->value != ~0)
1566 s = pool_elt_at_index (tnm->sessions, elt->value);
1567 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1569 nat44_ei_free_session_data (nm, s, thread_index, 0);
1570 nat44_ei_delete_session (nm, s, thread_index);
1575 nat44_ei_user_del (ip4_address_t *addr, u32 fib_index)
1579 nat44_ei_main_t *nm = &nat44_ei_main;
1580 nat44_ei_main_per_thread_data_t *tnm;
1582 nat44_ei_user_key_t user_key;
1583 clib_bihash_kv_8_8_t kv, value;
1585 user_key.addr.as_u32 = addr->as_u32;
1586 user_key.fib_index = fib_index;
1587 kv.key = user_key.as_u64;
1589 if (nm->num_workers > 1)
1591 vec_foreach (tnm, nm->per_thread_data)
1593 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1595 nat44_ei_user_del_sessions (
1596 pool_elt_at_index (tnm->users, value.value),
1605 tnm = vec_elt_at_index (nm->per_thread_data, nm->num_workers);
1606 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1608 nat44_ei_user_del_sessions (
1609 pool_elt_at_index (tnm->users, value.value), tnm->thread_index);
1617 nat44_ei_static_mapping_del_sessions (nat44_ei_main_t *nm,
1618 nat44_ei_main_per_thread_data_t *tnm,
1619 nat44_ei_user_key_t u_key, int addr_only,
1620 ip4_address_t e_addr, u16 e_port)
1622 clib_bihash_kv_8_8_t kv, value;
1623 kv.key = u_key.as_u64;
1625 dlist_elt_t *head, *elt;
1627 nat44_ei_session_t *s;
1628 u32 elt_index, head_index, ses_index;
1630 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1632 user_index = value.value;
1633 u = pool_elt_at_index (tnm->users, user_index);
1634 if (u->nstaticsessions)
1636 head_index = u->sessions_per_user_list_head_index;
1637 head = pool_elt_at_index (tnm->list_pool, head_index);
1638 elt_index = head->next;
1639 elt = pool_elt_at_index (tnm->list_pool, elt_index);
1640 ses_index = elt->value;
1641 while (ses_index != ~0)
1643 s = pool_elt_at_index (tnm->sessions, ses_index);
1644 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1645 ses_index = elt->value;
1649 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
1650 (s->out2in.port != e_port))
1654 if (!nat44_ei_is_session_static (s))
1657 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data,
1659 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
1669 nat44_ei_get_in2out_worker_index (ip4_header_t *ip0, u32 rx_fib_index0,
1672 nat44_ei_main_t *nm = &nat44_ei_main;
1673 u32 next_worker_index = 0;
1676 next_worker_index = nm->first_worker_index;
1677 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
1678 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
1680 if (PREDICT_TRUE (is_pow2 (_vec_len (nm->workers))))
1681 next_worker_index += nm->workers[hash & (_vec_len (nm->workers) - 1)];
1683 next_worker_index += nm->workers[hash % _vec_len (nm->workers)];
1685 return next_worker_index;
1689 nat44_ei_get_thread_idx_by_port (u16 e_port)
1691 nat44_ei_main_t *nm = &nat44_ei_main;
1692 u32 thread_idx = nm->num_workers;
1693 if (nm->num_workers > 1)
1695 thread_idx = nm->first_worker_index +
1696 nm->workers[(e_port - 1024) / nm->port_per_thread %
1697 _vec_len (nm->workers)];
1703 nat44_ei_get_out2in_worker_index (vlib_buffer_t *b, ip4_header_t *ip0,
1704 u32 rx_fib_index0, u8 is_output)
1706 nat44_ei_main_t *nm = &nat44_ei_main;
1709 clib_bihash_kv_8_8_t kv, value;
1710 nat44_ei_static_mapping_t *m;
1712 u32 next_worker_index = 0;
1714 /* first try static mappings without port */
1715 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
1717 init_nat_k (&kv, ip0->dst_address, 0, rx_fib_index0, 0);
1718 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
1721 m = pool_elt_at_index (nm->static_mappings, value.value);
1722 return m->workers[0];
1726 proto = ip_proto_to_nat_proto (ip0->protocol);
1727 udp = ip4_next_header (ip0);
1728 port = vnet_buffer (b)->ip.reass.l4_dst_port;
1730 /* unknown protocol */
1731 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
1733 /* use current thread */
1734 return vlib_get_thread_index ();
1737 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
1739 icmp46_header_t *icmp = (icmp46_header_t *) udp;
1740 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
1741 if (!icmp_type_is_error_message (
1742 vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
1743 port = vnet_buffer (b)->ip.reass.l4_src_port;
1746 /* if error message, then it's not fragmented and we can access it */
1747 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
1748 proto = ip_proto_to_nat_proto (inner_ip->protocol);
1749 void *l4_header = ip4_next_header (inner_ip);
1752 case NAT_PROTOCOL_ICMP:
1753 icmp = (icmp46_header_t *) l4_header;
1754 echo = (icmp_echo_header_t *) (icmp + 1);
1755 port = echo->identifier;
1757 case NAT_PROTOCOL_UDP:
1758 case NAT_PROTOCOL_TCP:
1759 port = ((tcp_udp_header_t *) l4_header)->src_port;
1762 return vlib_get_thread_index ();
1767 /* try static mappings with port */
1768 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
1770 init_nat_k (&kv, ip0->dst_address, port, rx_fib_index0, proto);
1771 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
1774 m = pool_elt_at_index (nm->static_mappings, value.value);
1775 return m->workers[0];
1779 /* worker by outside port */
1781 nat44_ei_get_thread_idx_by_port (clib_net_to_host_u16 (port));
1782 return next_worker_index;
1786 nat44_ei_alloc_default_cb (nat44_ei_address_t *addresses, u32 fib_index,
1787 u32 thread_index, nat_protocol_t proto,
1788 ip4_address_t s_addr, ip4_address_t *addr,
1789 u16 *port, u16 port_per_thread,
1790 u32 snat_thread_index)
1792 nat44_ei_main_t *nm = &nat44_ei_main;
1793 nat44_ei_address_t *a, *ga = 0;
1797 if (vec_len (addresses) > 0)
1799 int s_addr_offset = s_addr.as_u32 % vec_len (addresses);
1801 for (i = s_addr_offset; i < vec_len (addresses); ++i)
1805 if (a->busy_ports_per_thread[proto][thread_index] < port_per_thread)
1807 if (a->fib_index == fib_index)
1811 portnum = (port_per_thread * snat_thread_index) +
1812 nat_random_port (&nm->random_seed, 0,
1813 port_per_thread - 1) +
1815 if (nat44_ei_port_is_used (a, proto, portnum))
1817 nat44_ei_port_get (a, proto, portnum);
1818 a->busy_ports_per_thread[proto][thread_index]++;
1819 a->busy_ports[proto]++;
1821 *port = clib_host_to_net_u16 (portnum);
1825 else if (a->fib_index == ~0)
1832 for (i = 0; i < s_addr_offset; ++i)
1835 if (a->busy_ports_per_thread[proto][thread_index] < port_per_thread)
1837 if (a->fib_index == fib_index)
1841 portnum = (port_per_thread * snat_thread_index) +
1842 nat_random_port (&nm->random_seed, 0,
1843 port_per_thread - 1) +
1845 if (nat44_ei_port_is_used (a, proto, portnum))
1847 nat44_ei_port_get (a, proto, portnum);
1848 a->busy_ports_per_thread[proto][thread_index]++;
1849 a->busy_ports[proto]++;
1851 *port = clib_host_to_net_u16 (portnum);
1855 else if (a->fib_index == ~0)
1865 if (a->busy_ports_per_thread[proto][thread_index] < port_per_thread)
1867 if (a->fib_index == ~0)
1871 portnum = (port_per_thread * snat_thread_index) +
1872 nat_random_port (&nm->random_seed, 0,
1873 port_per_thread - 1) +
1875 if (nat44_ei_port_is_used (a, proto, portnum))
1877 nat44_ei_port_get (a, proto, portnum);
1878 a->busy_ports_per_thread[proto][thread_index]++;
1879 a->busy_ports[proto]++;
1881 *port = clib_host_to_net_u16 (portnum);
1889 /* Totally out of translations to use... */
1890 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1895 nat44_ei_alloc_range_cb (nat44_ei_address_t *addresses, u32 fib_index,
1896 u32 thread_index, nat_protocol_t proto,
1897 ip4_address_t s_addr, ip4_address_t *addr, u16 *port,
1898 u16 port_per_thread, u32 snat_thread_index)
1900 nat44_ei_main_t *nm = &nat44_ei_main;
1901 nat44_ei_address_t *a = addresses;
1904 ports = nm->end_port - nm->start_port + 1;
1906 if (!vec_len (addresses))
1909 if (a->busy_ports[proto] < ports)
1914 nat_random_port (&nm->random_seed, nm->start_port, nm->end_port);
1915 if (nat44_ei_port_is_used (a, proto, portnum))
1917 nat44_ei_port_get (a, proto, portnum);
1918 a->busy_ports[proto]++;
1920 *port = clib_host_to_net_u16 (portnum);
1926 /* Totally out of translations to use... */
1927 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1932 nat44_ei_alloc_mape_cb (nat44_ei_address_t *addresses, u32 fib_index,
1933 u32 thread_index, nat_protocol_t proto,
1934 ip4_address_t s_addr, ip4_address_t *addr, u16 *port,
1935 u16 port_per_thread, u32 snat_thread_index)
1937 nat44_ei_main_t *nm = &nat44_ei_main;
1938 nat44_ei_address_t *a = addresses;
1939 u16 m, ports, portnum, A, j;
1940 m = 16 - (nm->psid_offset + nm->psid_length);
1941 ports = (1 << (16 - nm->psid_length)) - (1 << m);
1943 if (!vec_len (addresses))
1946 if (a->busy_ports[proto] < ports)
1951 nat_random_port (&nm->random_seed, 1, pow2_mask (nm->psid_offset));
1952 j = nat_random_port (&nm->random_seed, 0, pow2_mask (m));
1953 portnum = A | (nm->psid << nm->psid_offset) | (j << (16 - m));
1954 if (nat44_ei_port_is_used (a, proto, portnum))
1956 nat44_ei_port_get (a, proto, portnum);
1957 a->busy_ports[proto]++;
1959 *port = clib_host_to_net_u16 (portnum);
1965 /* Totally out of translations to use... */
1966 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1971 nat44_ei_set_alloc_default ()
1973 nat44_ei_main_t *nm = &nat44_ei_main;
1975 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
1976 nm->alloc_addr_and_port = nat44_ei_alloc_default_cb;
1980 nat44_ei_set_alloc_range (u16 start_port, u16 end_port)
1982 nat44_ei_main_t *nm = &nat44_ei_main;
1984 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_RANGE;
1985 nm->alloc_addr_and_port = nat44_ei_alloc_range_cb;
1986 nm->start_port = start_port;
1987 nm->end_port = end_port;
1991 nat44_ei_set_alloc_mape (u16 psid, u16 psid_offset, u16 psid_length)
1993 nat44_ei_main_t *nm = &nat44_ei_main;
1995 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_MAPE;
1996 nm->alloc_addr_and_port = nat44_ei_alloc_mape_cb;
1998 nm->psid_offset = psid_offset;
1999 nm->psid_length = psid_length;
2003 nat44_ei_delete_session (nat44_ei_main_t *nm, nat44_ei_session_t *ses,
2006 nat44_ei_main_per_thread_data_t *tnm =
2007 vec_elt_at_index (nm->per_thread_data, thread_index);
2008 clib_bihash_kv_8_8_t kv, value;
2010 const nat44_ei_user_key_t u_key = { .addr = ses->in2out.addr,
2011 .fib_index = ses->in2out.fib_index };
2012 const u8 u_static = nat44_ei_is_session_static (ses);
2014 clib_dlist_remove (tnm->list_pool, ses->per_user_index);
2015 pool_put_index (tnm->list_pool, ses->per_user_index);
2017 pool_put (tnm->sessions, ses);
2018 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
2019 pool_elts (tnm->sessions));
2021 kv.key = u_key.as_u64;
2022 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
2024 u = pool_elt_at_index (tnm->users, value.value);
2026 u->nstaticsessions--;
2030 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
2035 nat44_ei_del_session (nat44_ei_main_t *nm, ip4_address_t *addr, u16 port,
2036 nat_protocol_t proto, u32 vrf_id, int is_in)
2038 nat44_ei_main_per_thread_data_t *tnm;
2039 clib_bihash_kv_8_8_t kv, value;
2041 nat44_ei_session_t *s;
2042 clib_bihash_8_8_t *t;
2044 fail_if_disabled ();
2046 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
2047 init_nat_k (&kv, *addr, port, fib_index, proto);
2048 t = is_in ? &nm->in2out : &nm->out2in;
2049 if (!clib_bihash_search_8_8 (t, &kv, &value))
2051 // this is called from API/CLI, so the world is stopped here
2052 // it's safe to manipulate arbitrary per-thread data
2053 u32 thread_index = nat_value_get_thread_index (&value);
2054 tnm = vec_elt_at_index (nm->per_thread_data, thread_index);
2055 u32 session_index = nat_value_get_session_index (&value);
2056 if (pool_is_free_index (tnm->sessions, session_index))
2057 return VNET_API_ERROR_UNSPECIFIED;
2059 s = pool_elt_at_index (tnm->sessions, session_index);
2060 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data, 0);
2061 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
2065 return VNET_API_ERROR_NO_SUCH_ENTRY;
2069 nat44_ei_add_del_addr_to_fib (ip4_address_t *addr, u8 p_len, u32 sw_if_index,
2072 nat44_ei_main_t *nm = &nat44_ei_main;
2073 fib_prefix_t prefix = {
2075 .fp_proto = FIB_PROTOCOL_IP4,
2077 .ip4.as_u32 = addr->as_u32,
2080 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
2084 fib_table_entry_update_one_path (fib_index, &prefix, nm->fib_src_low,
2085 (FIB_ENTRY_FLAG_CONNECTED |
2086 FIB_ENTRY_FLAG_LOCAL |
2087 FIB_ENTRY_FLAG_EXCLUSIVE),
2088 DPO_PROTO_IP4, NULL, sw_if_index, ~0, 1,
2089 NULL, FIB_ROUTE_PATH_FLAG_NONE);
2093 fib_table_entry_delete (fib_index, &prefix, nm->fib_src_low);
2098 nat44_ei_reserve_port (ip4_address_t addr, u16 port, nat_protocol_t proto)
2100 u32 ti = nat44_ei_get_thread_idx_by_port (port);
2101 nat44_ei_main_t *nm = &nat44_ei_main;
2102 nat44_ei_address_t *a = 0;
2105 for (i = 0; i < vec_len (nm->addresses); i++)
2107 a = nm->addresses + i;
2109 if (a->addr.as_u32 != addr.as_u32)
2112 if (nat44_ei_port_is_used (a, proto, port))
2115 nat44_ei_port_get (a, proto, port);
2118 a->busy_ports[proto]++;
2119 a->busy_ports_per_thread[proto][ti]++;
2128 nat44_ei_free_port (ip4_address_t addr, u16 port, nat_protocol_t proto)
2130 u32 ti = nat44_ei_get_thread_idx_by_port (port);
2131 nat44_ei_main_t *nm = &nat44_ei_main;
2132 nat44_ei_address_t *a = 0;
2135 for (i = 0; i < vec_len (nm->addresses); i++)
2137 a = nm->addresses + i;
2139 if (a->addr.as_u32 != addr.as_u32)
2142 nat44_ei_port_put (a, proto, port);
2145 a->busy_ports[proto]--;
2146 a->busy_ports_per_thread[proto][ti]--;
2155 nat44_ei_add_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2156 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2157 u32 flags, ip4_address_t pool_addr, u8 *tag)
2159 nat44_ei_static_map_resolve_t *rp;
2160 nat44_ei_main_t *nm = &nat44_ei_main;
2162 vec_add2 (nm->to_resolve, rp, 1);
2163 rp->l_addr.as_u32 = l_addr.as_u32;
2164 rp->l_port = l_port;
2165 rp->e_port = e_port;
2166 rp->sw_if_index = sw_if_index;
2167 rp->vrf_id = vrf_id;
2170 rp->pool_addr = pool_addr;
2171 rp->tag = vec_dup (tag);
2175 nat44_ei_get_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2176 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2177 u32 flags, int *out)
2179 nat44_ei_static_map_resolve_t *rp;
2180 nat44_ei_main_t *nm = &nat44_ei_main;
2183 for (i = 0; i < vec_len (nm->to_resolve); i++)
2185 rp = nm->to_resolve + i;
2187 if (rp->sw_if_index == sw_if_index && rp->vrf_id == vrf_id)
2189 if (is_sm_identity_nat (rp->flags) && is_sm_identity_nat (flags))
2191 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
2193 if (rp->e_port != e_port || rp->proto != proto)
2199 else if (rp->l_addr.as_u32 == l_addr.as_u32)
2201 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
2203 if (rp->l_port != l_port || rp->e_port != e_port ||
2225 nat44_ei_del_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2226 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2229 nat44_ei_main_t *nm = &nat44_ei_main;
2231 if (!nat44_ei_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2232 sw_if_index, flags, &i))
2234 vec_del1 (nm->to_resolve, i);
2241 delete_matching_dynamic_sessions (const nat44_ei_static_mapping_t *m,
2244 nat44_ei_main_t *nm = &nat44_ei_main;
2245 clib_bihash_kv_8_8_t kv, value;
2246 nat44_ei_session_t *s;
2247 nat44_ei_user_key_t u_key;
2249 nat44_ei_main_per_thread_data_t *tnm;
2250 dlist_elt_t *head, *elt;
2251 u32 elt_index, head_index;
2255 if (nm->static_mapping_only)
2258 tnm = vec_elt_at_index (nm->per_thread_data, worker_index);
2260 u_key.addr = m->local_addr;
2261 u_key.fib_index = m->fib_index;
2262 kv.key = u_key.as_u64;
2263 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
2265 user_index = value.value;
2266 u = pool_elt_at_index (tnm->users, user_index);
2269 head_index = u->sessions_per_user_list_head_index;
2270 head = pool_elt_at_index (tnm->list_pool, head_index);
2271 elt_index = head->next;
2272 elt = pool_elt_at_index (tnm->list_pool, elt_index);
2273 ses_index = elt->value;
2274 while (ses_index != ~0)
2276 s = pool_elt_at_index (tnm->sessions, ses_index);
2277 elt = pool_elt_at_index (tnm->list_pool, elt->next);
2278 ses_index = elt->value;
2280 if (nat44_ei_is_session_static (s))
2283 if (!is_sm_addr_only (m->flags) &&
2284 s->in2out.port != m->local_port)
2287 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data,
2289 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
2291 if (!is_sm_addr_only (m->flags))
2299 nat44_ei_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
2300 u16 l_port, u16 e_port, nat_protocol_t proto,
2301 u32 vrf_id, u32 sw_if_index, u32 flags,
2302 ip4_address_t pool_addr, u8 *tag)
2305 nat44_ei_main_t *nm = &nat44_ei_main;
2307 if (is_sm_switch_address (flags))
2309 if (!nat44_ei_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2310 sw_if_index, flags, 0))
2312 return VNET_API_ERROR_VALUE_EXIST;
2315 nat44_ei_add_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2316 sw_if_index, flags, pool_addr, tag);
2318 ip4_address_t *first_int_addr =
2319 ip4_interface_first_address (nm->ip4_main, sw_if_index, 0);
2320 if (!first_int_addr)
2322 // dhcp resolution required
2326 e_addr.as_u32 = first_int_addr->as_u32;
2329 return nat44_ei_add_static_mapping_internal (l_addr, e_addr, l_port, e_port,
2330 proto, vrf_id, sw_if_index,
2331 flags, pool_addr, tag);
2335 nat44_ei_del_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
2336 u16 l_port, u16 e_port, nat_protocol_t proto,
2337 u32 vrf_id, u32 sw_if_index, u32 flags)
2339 nat44_ei_main_t *nm = &nat44_ei_main;
2341 if (is_sm_switch_address (flags))
2344 if (nat44_ei_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2345 sw_if_index, flags))
2347 return VNET_API_ERROR_NO_SUCH_ENTRY;
2350 ip4_address_t *first_int_addr =
2351 ip4_interface_first_address (nm->ip4_main, sw_if_index, 0);
2352 if (!first_int_addr)
2354 // dhcp resolution required
2358 e_addr.as_u32 = first_int_addr->as_u32;
2361 return nat44_ei_del_static_mapping_internal (
2362 l_addr, e_addr, l_port, e_port, proto, vrf_id, sw_if_index, flags);
2366 nat44_ei_add_static_mapping_internal (ip4_address_t l_addr,
2367 ip4_address_t e_addr, u16 l_port,
2368 u16 e_port, nat_protocol_t proto,
2369 u32 vrf_id, u32 sw_if_index, u32 flags,
2370 ip4_address_t pool_addr, u8 *tag)
2372 nat44_ei_main_t *nm = &nat44_ei_main;
2373 clib_bihash_kv_8_8_t kv, value;
2374 nat44_ei_lb_addr_port_t *local;
2375 nat44_ei_static_mapping_t *m;
2379 fail_if_disabled ();
2381 if (is_sm_addr_only (flags))
2383 e_port = l_port = proto = 0;
2386 if (is_sm_identity_nat (flags))
2389 l_addr.as_u32 = e_addr.as_u32;
2393 init_nat_k (&kv, e_addr, e_port, 0, proto);
2395 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
2397 m = pool_elt_at_index (nm->static_mappings, value.value);
2398 if (!is_sm_identity_nat (m->flags))
2400 return VNET_API_ERROR_VALUE_EXIST;
2404 // adding local identity nat record for different vrf table
2405 pool_foreach (local, m->locals)
2407 if (local->vrf_id == vrf_id)
2409 return VNET_API_ERROR_VALUE_EXIST;
2413 pool_get (m->locals, local);
2415 local->vrf_id = vrf_id;
2416 local->fib_index = fib_table_find_or_create_and_lock (
2417 FIB_PROTOCOL_IP4, vrf_id, nm->fib_src_low);
2419 init_nat_kv (&kv, m->local_addr, m->local_port, local->fib_index,
2420 m->proto, 0, m - nm->static_mappings);
2421 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 1);
2428 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
2433 // fallback to default vrf
2434 vrf_id = nm->inside_vrf_id;
2435 fib_index = nm->inside_fib_index;
2436 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2439 if (!is_sm_identity_nat (flags))
2441 init_nat_k (&kv, l_addr, l_port, fib_index, proto);
2442 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
2444 return VNET_API_ERROR_VALUE_EXIST;
2448 if (!(is_sm_addr_only (flags) || nm->static_mapping_only))
2450 if (nat44_ei_reserve_port (e_addr, e_port, proto))
2452 // remove resolve record
2453 if ((is_sm_switch_address (flags)) && !is_sm_identity_nat (flags))
2455 nat44_ei_del_resolve_record (l_addr, l_port, e_port, proto,
2456 vrf_id, sw_if_index, flags);
2458 return VNET_API_ERROR_NO_SUCH_ENTRY;
2462 pool_get (nm->static_mappings, m);
2463 clib_memset (m, 0, sizeof (*m));
2466 m->local_addr = l_addr;
2467 m->external_addr = e_addr;
2469 m->tag = vec_dup (tag);
2471 if (!is_sm_addr_only (flags))
2473 m->local_port = l_port;
2474 m->external_port = e_port;
2478 if (is_sm_identity_nat (flags))
2480 pool_get (m->locals, local);
2482 local->vrf_id = vrf_id;
2483 local->fib_index = fib_index;
2488 m->fib_index = fib_index;
2491 init_nat_kv (&kv, m->local_addr, m->local_port, fib_index, m->proto, 0,
2492 m - nm->static_mappings);
2493 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 1);
2495 init_nat_kv (&kv, m->external_addr, m->external_port, 0, m->proto, 0,
2496 m - nm->static_mappings);
2497 clib_bihash_add_del_8_8 (&nm->static_mapping_by_external, &kv, 1);
2499 if (nm->num_workers > 1)
2501 // store worker index for this record
2503 .src_address = m->local_addr,
2505 worker_index = nat44_ei_get_in2out_worker_index (&ip, m->fib_index, 0);
2506 vec_add1 (m->workers, worker_index);
2510 worker_index = nm->num_workers;
2512 delete_matching_dynamic_sessions (m, worker_index);
2514 if (is_sm_addr_only (flags))
2516 nat44_ei_add_del_addr_to_fib_foreach_out_if (&e_addr, 1);
2523 nat44_ei_del_static_mapping_internal (ip4_address_t l_addr,
2524 ip4_address_t e_addr, u16 l_port,
2525 u16 e_port, nat_protocol_t proto,
2526 u32 vrf_id, u32 sw_if_index, u32 flags)
2528 nat44_ei_main_per_thread_data_t *tnm;
2529 nat44_ei_main_t *nm = &nat44_ei_main;
2530 clib_bihash_kv_8_8_t kv, value;
2531 nat44_ei_lb_addr_port_t *local;
2532 nat44_ei_static_mapping_t *m;
2534 nat44_ei_user_key_t u_key;
2536 fail_if_disabled ();
2538 if (is_sm_addr_only (flags))
2540 e_port = l_port = proto = 0;
2543 if (is_sm_identity_nat (flags))
2546 l_addr.as_u32 = e_addr.as_u32;
2550 init_nat_k (&kv, e_addr, e_port, 0, proto);
2552 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
2554 if (is_sm_switch_address (flags))
2558 return VNET_API_ERROR_NO_SUCH_ENTRY;
2561 m = pool_elt_at_index (nm->static_mappings, value.value);
2563 if (is_sm_identity_nat (flags))
2569 vrf_id = nm->inside_vrf_id;
2572 pool_foreach (local, m->locals)
2574 if (local->vrf_id == vrf_id)
2576 local = pool_elt_at_index (m->locals, local - m->locals);
2577 fib_index = local->fib_index;
2578 pool_put (m->locals, local);
2584 return VNET_API_ERROR_NO_SUCH_ENTRY;
2589 fib_index = m->fib_index;
2592 if (!(is_sm_addr_only (flags) || nm->static_mapping_only))
2594 if (nat44_ei_free_port (e_addr, e_port, proto))
2596 return VNET_API_ERROR_INVALID_VALUE;
2600 init_nat_k (&kv, l_addr, l_port, fib_index, proto);
2601 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 0);
2603 if (!nm->static_mapping_only || nm->static_mapping_connection_tracking)
2605 // delete sessions for static mapping
2606 if (nm->num_workers > 1)
2607 tnm = vec_elt_at_index (nm->per_thread_data, m->workers[0]);
2609 tnm = vec_elt_at_index (nm->per_thread_data, nm->num_workers);
2611 u_key.addr = m->local_addr;
2612 u_key.fib_index = fib_index;
2613 kv.key = u_key.as_u64;
2614 nat44_ei_static_mapping_del_sessions (
2615 nm, tnm, u_key, is_sm_addr_only (flags), e_addr, e_port);
2618 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2620 if (!pool_elts (m->locals))
2622 // this is last record remove all required stuff
2624 init_nat_k (&kv, e_addr, e_port, 0, proto);
2625 clib_bihash_add_del_8_8 (&nm->static_mapping_by_external, &kv, 0);
2628 vec_free (m->workers);
2629 pool_put (nm->static_mappings, m);
2631 if (is_sm_addr_only (flags) && !is_sm_identity_nat (flags))
2633 nat44_ei_add_del_addr_to_fib_foreach_out_if (&e_addr, 0);
2641 nat44_ei_static_mapping_match (ip4_address_t match_addr, u16 match_port,
2642 u32 match_fib_index,
2643 nat_protocol_t match_protocol,
2644 ip4_address_t *mapping_addr, u16 *mapping_port,
2645 u32 *mapping_fib_index, u8 by_external,
2646 u8 *is_addr_only, u8 *is_identity_nat)
2648 nat44_ei_main_t *nm = &nat44_ei_main;
2649 clib_bihash_kv_8_8_t kv, value;
2650 nat44_ei_static_mapping_t *m;
2655 init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
2656 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
2659 /* Try address only mapping */
2660 init_nat_k (&kv, match_addr, 0, 0, 0);
2661 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
2665 m = pool_elt_at_index (nm->static_mappings, value.value);
2667 *mapping_fib_index = m->fib_index;
2668 *mapping_addr = m->local_addr;
2669 port = m->local_port;
2673 init_nat_k (&kv, match_addr, match_port, match_fib_index,
2675 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
2677 /* Try address only mapping */
2678 init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
2679 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv,
2683 m = pool_elt_at_index (nm->static_mappings, value.value);
2685 *mapping_fib_index = nm->outside_fib_index;
2686 *mapping_addr = m->external_addr;
2687 port = m->external_port;
2690 /* Address only mapping doesn't change port */
2691 if (is_sm_addr_only (m->flags))
2692 *mapping_port = match_port;
2694 *mapping_port = port;
2696 if (PREDICT_FALSE (is_addr_only != 0))
2697 *is_addr_only = is_sm_addr_only (m->flags);
2699 if (PREDICT_FALSE (is_identity_nat != 0))
2700 *is_identity_nat = is_sm_identity_nat (m->flags);
2706 nat44_ei_worker_db_free (nat44_ei_main_per_thread_data_t *tnm)
2708 pool_free (tnm->list_pool);
2709 pool_free (tnm->lru_pool);
2710 pool_free (tnm->sessions);
2711 pool_free (tnm->users);
2713 clib_bihash_free_8_8 (&tnm->user_hash);
2717 format_nat44_ei_key (u8 *s, va_list *args)
2719 u64 key = va_arg (*args, u64);
2723 nat_protocol_t protocol;
2726 split_nat_key (key, &addr, &port, &fib_index, &protocol);
2728 s = format (s, "%U proto %U port %d fib %d", format_ip4_address, &addr,
2729 format_nat_protocol, protocol, clib_net_to_host_u16 (port),
2735 format_nat44_ei_user_kvp (u8 *s, va_list *args)
2737 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2738 nat44_ei_user_key_t k;
2742 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
2743 k.fib_index, v->value);
2749 format_nat44_ei_session_kvp (u8 *s, va_list *args)
2751 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2753 s = format (s, "%U thread-index %llu session-index %llu",
2754 format_nat44_ei_key, v->key, nat_value_get_thread_index (v),
2755 nat_value_get_session_index (v));
2761 format_nat44_ei_static_mapping_kvp (u8 *s, va_list *args)
2763 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2765 s = format (s, "%U static-mapping-index %llu", format_nat44_ei_key, v->key,
2772 nat44_ei_worker_db_init (nat44_ei_main_per_thread_data_t *tnm,
2773 u32 translations, u32 translation_buckets,
2778 pool_alloc (tnm->list_pool, translations);
2779 pool_alloc (tnm->lru_pool, translations);
2780 pool_alloc (tnm->sessions, translations);
2782 clib_bihash_init_8_8 (&tnm->user_hash, "users", user_buckets, 0);
2784 clib_bihash_set_kvp_format_fn_8_8 (&tnm->user_hash,
2785 format_nat44_ei_user_kvp);
2787 pool_get (tnm->lru_pool, head);
2788 tnm->tcp_trans_lru_head_index = head - tnm->lru_pool;
2789 clib_dlist_init (tnm->lru_pool, tnm->tcp_trans_lru_head_index);
2791 pool_get (tnm->lru_pool, head);
2792 tnm->tcp_estab_lru_head_index = head - tnm->lru_pool;
2793 clib_dlist_init (tnm->lru_pool, tnm->tcp_estab_lru_head_index);
2795 pool_get (tnm->lru_pool, head);
2796 tnm->udp_lru_head_index = head - tnm->lru_pool;
2797 clib_dlist_init (tnm->lru_pool, tnm->udp_lru_head_index);
2799 pool_get (tnm->lru_pool, head);
2800 tnm->icmp_lru_head_index = head - tnm->lru_pool;
2801 clib_dlist_init (tnm->lru_pool, tnm->icmp_lru_head_index);
2803 pool_get (tnm->lru_pool, head);
2804 tnm->unk_proto_lru_head_index = head - tnm->lru_pool;
2805 clib_dlist_init (tnm->lru_pool, tnm->unk_proto_lru_head_index);
2809 nat44_ei_db_init (u32 translations, u32 translation_buckets, u32 user_buckets)
2811 nat44_ei_main_t *nm = &nat44_ei_main;
2812 nat44_ei_main_per_thread_data_t *tnm;
2814 u32 static_mapping_buckets = 1024;
2815 u32 static_mapping_memory_size = 64 << 20;
2817 clib_bihash_init_8_8 (&nm->static_mapping_by_local,
2818 "static_mapping_by_local", static_mapping_buckets,
2819 static_mapping_memory_size);
2820 clib_bihash_init_8_8 (&nm->static_mapping_by_external,
2821 "static_mapping_by_external", static_mapping_buckets,
2822 static_mapping_memory_size);
2823 clib_bihash_set_kvp_format_fn_8_8 (&nm->static_mapping_by_local,
2824 format_nat44_ei_static_mapping_kvp);
2825 clib_bihash_set_kvp_format_fn_8_8 (&nm->static_mapping_by_external,
2826 format_nat44_ei_static_mapping_kvp);
2830 clib_bihash_init_8_8 (&nm->in2out, "in2out", translation_buckets, 0);
2831 clib_bihash_init_8_8 (&nm->out2in, "out2in", translation_buckets, 0);
2832 clib_bihash_set_kvp_format_fn_8_8 (&nm->in2out,
2833 format_nat44_ei_session_kvp);
2834 clib_bihash_set_kvp_format_fn_8_8 (&nm->out2in,
2835 format_nat44_ei_session_kvp);
2836 vec_foreach (tnm, nm->per_thread_data)
2838 nat44_ei_worker_db_init (tnm, translations, translation_buckets,
2845 nat44_ei_sessions_clear ()
2847 nat44_ei_main_t *nm = &nat44_ei_main;
2848 nat44_ei_main_per_thread_data_t *tnm;
2852 clib_bihash_free_8_8 (&nm->in2out);
2853 clib_bihash_free_8_8 (&nm->out2in);
2854 clib_bihash_init_8_8 (&nm->in2out, "in2out", nm->translation_buckets, 0);
2855 clib_bihash_init_8_8 (&nm->out2in, "out2in", nm->translation_buckets, 0);
2856 clib_bihash_set_kvp_format_fn_8_8 (&nm->in2out,
2857 format_nat44_ei_session_kvp);
2858 clib_bihash_set_kvp_format_fn_8_8 (&nm->out2in,
2859 format_nat44_ei_session_kvp);
2860 vec_foreach (tnm, nm->per_thread_data)
2862 nat44_ei_worker_db_free (tnm);
2863 nat44_ei_worker_db_init (tnm, nm->translations,
2864 nm->translation_buckets, nm->user_buckets);
2868 vlib_zero_simple_counter (&nm->total_users, 0);
2869 vlib_zero_simple_counter (&nm->total_sessions, 0);
2870 vlib_zero_simple_counter (&nm->user_limit_reached, 0);
2874 nat44_ei_update_outside_fib (ip4_main_t *im, uword opaque, u32 sw_if_index,
2875 u32 new_fib_index, u32 old_fib_index)
2877 nat44_ei_main_t *nm = &nat44_ei_main;
2878 nat44_ei_outside_fib_t *outside_fib;
2879 nat44_ei_interface_t *i;
2883 if (!nm->enabled || (new_fib_index == old_fib_index) ||
2884 (!vec_len (nm->outside_fibs)))
2889 pool_foreach (i, nm->interfaces)
2891 if (i->sw_if_index == sw_if_index)
2893 if (!(nat44_ei_interface_is_outside (i)))
2899 pool_foreach (i, nm->output_feature_interfaces)
2901 if (i->sw_if_index == sw_if_index)
2903 if (!(nat44_ei_interface_is_outside (i)))
2912 vec_foreach (outside_fib, nm->outside_fibs)
2914 if (outside_fib->fib_index == old_fib_index)
2916 outside_fib->refcount--;
2917 if (!outside_fib->refcount)
2918 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
2923 vec_foreach (outside_fib, nm->outside_fibs)
2925 if (outside_fib->fib_index == new_fib_index)
2927 outside_fib->refcount++;
2935 vec_add2 (nm->outside_fibs, outside_fib, 1);
2936 outside_fib->refcount = 1;
2937 outside_fib->fib_index = new_fib_index;
2942 nat44_ei_add_address (ip4_address_t *addr, u32 vrf_id)
2944 nat44_ei_main_t *nm = &nat44_ei_main;
2945 vlib_thread_main_t *tm = vlib_get_thread_main ();
2946 nat44_ei_address_t *ap;
2948 fail_if_disabled ();
2950 /* Check if address already exists */
2951 vec_foreach (ap, nm->addresses)
2953 if (ap->addr.as_u32 == addr->as_u32)
2955 nat44_ei_log_err ("address exist");
2956 return VNET_API_ERROR_VALUE_EXIST;
2960 vec_add2 (nm->addresses, ap, 1);
2967 ap->fib_index = fib_table_find_or_create_and_lock (
2968 FIB_PROTOCOL_IP4, vrf_id, nm->fib_src_low);
2971 nat_protocol_t proto;
2972 for (proto = 0; proto < NAT_N_PROTOCOLS; ++proto)
2974 ap->busy_port_bitmap[proto] = 0;
2975 ap->busy_ports[proto] = 0;
2976 ap->busy_ports_per_thread[proto] = 0;
2977 vec_validate_init_empty (ap->busy_ports_per_thread[proto],
2978 tm->n_vlib_mains - 1, 0);
2981 nat44_ei_add_del_addr_to_fib_foreach_out_if (addr, 1);
2987 nat44_ei_del_address (ip4_address_t addr, u8 delete_sm)
2989 nat44_ei_main_t *nm = &nat44_ei_main;
2990 nat44_ei_address_t *a = 0;
2991 nat44_ei_session_t *ses;
2992 u32 *ses_to_be_removed = 0, *ses_index;
2993 nat44_ei_main_per_thread_data_t *tnm;
2994 nat44_ei_static_mapping_t *m;
2997 fail_if_disabled ();
2999 /* Find SNAT address */
3000 for (j = 0; j < vec_len (nm->addresses); j++)
3002 if (nm->addresses[j].addr.as_u32 == addr.as_u32)
3004 a = nm->addresses + j;
3010 nat44_ei_log_err ("no such address");
3011 return VNET_API_ERROR_NO_SUCH_ENTRY;
3016 pool_foreach (m, nm->static_mappings)
3018 if (m->external_addr.as_u32 == addr.as_u32)
3019 nat44_ei_del_static_mapping_internal (
3020 m->local_addr, m->external_addr, m->local_port, m->external_port,
3021 m->proto, m->vrf_id, ~0, m->flags);
3026 /* Check if address is used in some static mapping */
3027 if (nat44_ei_is_address_used_in_static_mapping (addr))
3029 nat44_ei_log_err ("address used in static mapping");
3030 return VNET_API_ERROR_UNSPECIFIED;
3034 /* Delete sessions using address */
3035 if (a->busy_ports[NAT_PROTOCOL_TCP] || a->busy_ports[NAT_PROTOCOL_UDP] ||
3036 a->busy_ports[NAT_PROTOCOL_ICMP])
3038 vec_foreach (tnm, nm->per_thread_data)
3040 pool_foreach (ses, tnm->sessions)
3042 if (ses->out2in.addr.as_u32 == addr.as_u32)
3044 nat44_ei_free_session_data (nm, ses,
3045 tnm - nm->per_thread_data, 0);
3046 vec_add1 (ses_to_be_removed, ses - tnm->sessions);
3049 vec_foreach (ses_index, ses_to_be_removed)
3051 ses = pool_elt_at_index (tnm->sessions, ses_index[0]);
3052 nat44_ei_delete_session (nm, ses, tnm - nm->per_thread_data);
3054 vec_free (ses_to_be_removed);
3058 nat44_ei_add_del_addr_to_fib_foreach_out_if (&addr, 0);
3060 if (a->fib_index != ~0)
3062 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
3065 nat_protocol_t proto;
3066 for (proto = 0; proto < NAT_N_PROTOCOLS; ++proto)
3068 vec_free (a->busy_ports_per_thread[proto]);
3071 vec_del1 (nm->addresses, j);
3076 nat44_ei_add_interface_address (u32 sw_if_index)
3078 nat44_ei_main_t *nm = &nat44_ei_main;
3079 ip4_main_t *ip4_main = nm->ip4_main;
3080 ip4_address_t *first_int_addr;
3081 u32 *auto_add_sw_if_indices = nm->auto_add_sw_if_indices;
3084 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3086 if (auto_add_sw_if_indices[i] == sw_if_index)
3088 return VNET_API_ERROR_VALUE_EXIST;
3092 /* add to the auto-address list */
3093 vec_add1 (nm->auto_add_sw_if_indices, sw_if_index);
3095 // if the address is already bound - or static - add it now
3096 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3099 (void) nat44_ei_add_address (first_int_addr, ~0);
3106 nat44_ei_del_interface_address (u32 sw_if_index)
3108 nat44_ei_main_t *nm = &nat44_ei_main;
3109 ip4_main_t *ip4_main = nm->ip4_main;
3110 ip4_address_t *first_int_addr;
3111 nat44_ei_static_map_resolve_t *rp;
3112 u32 *indices_to_delete = 0;
3114 u32 *auto_add_sw_if_indices = nm->auto_add_sw_if_indices;
3116 fail_if_disabled ();
3118 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3120 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3122 if (auto_add_sw_if_indices[i] == sw_if_index)
3125 ip4_interface_first_address (ip4_main, sw_if_index, 0);
3128 (void) nat44_ei_del_address (first_int_addr[0], 1);
3132 for (j = 0; j < vec_len (nm->to_resolve); j++)
3134 rp = nm->to_resolve + j;
3135 if (rp->sw_if_index == sw_if_index)
3137 vec_add1 (indices_to_delete, j);
3140 if (vec_len (indices_to_delete))
3142 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
3144 vec_del1 (nm->to_resolve, j);
3146 vec_free (indices_to_delete);
3150 vec_del1 (nm->auto_add_sw_if_indices, i);
3154 return VNET_API_ERROR_NO_SUCH_ENTRY;
3157 static_always_inline int
3158 is_sw_if_index_reg_for_auto_resolve (u32 *sw_if_indices, u32 sw_if_index)
3161 vec_foreach (i, sw_if_indices)
3163 if (*i == sw_if_index)
3172 nat44_ei_ip4_add_del_interface_address_cb (ip4_main_t *im, uword opaque,
3174 ip4_address_t *address,
3176 u32 if_address_index, u32 is_delete)
3178 nat44_ei_main_t *nm = &nat44_ei_main;
3179 nat44_ei_static_map_resolve_t *rp;
3180 nat44_ei_address_t *addresses = nm->addresses;
3188 if (!is_sw_if_index_reg_for_auto_resolve (nm->auto_add_sw_if_indices,
3196 /* Don't trip over lease renewal, static config */
3197 for (i = 0; i < vec_len (addresses); i++)
3199 if (addresses[i].addr.as_u32 == address->as_u32)
3205 (void) nat44_ei_add_address (address, ~0);
3207 /* Scan static map resolution vector */
3208 for (i = 0; i < vec_len (nm->to_resolve); i++)
3210 rp = nm->to_resolve + i;
3211 if (is_sm_addr_only (rp->flags))
3215 /* On this interface? */
3216 if (rp->sw_if_index == sw_if_index)
3218 rv = nat44_ei_add_static_mapping_internal (
3219 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto,
3220 rp->vrf_id, ~0, rp->flags, rp->pool_addr, rp->tag);
3223 nat_elog_notice_X1 (
3224 nm, "add_static_mapping_internal returned %d", "i4", rv);
3231 // remove all static mapping records
3232 (void) nat44_ei_del_address (address[0], 1);
3237 nat44_ei_set_frame_queue_nelts (u32 frame_queue_nelts)
3240 nat44_ei_main_t *nm = &nat44_ei_main;
3241 nm->frame_queue_nelts = frame_queue_nelts;
3246 nat44_ei_ip4_add_del_addr_only_sm_cb (ip4_main_t *im, uword opaque,
3247 u32 sw_if_index, ip4_address_t *address,
3248 u32 address_length, u32 if_address_index,
3251 nat44_ei_main_t *nm = &nat44_ei_main;
3252 nat44_ei_static_map_resolve_t *rp;
3253 nat44_ei_static_mapping_t *m;
3254 clib_bihash_kv_8_8_t kv, value;
3255 int i, rv = 0, match = 0;
3262 for (i = 0; i < vec_len (nm->to_resolve); i++)
3264 rp = nm->to_resolve + i;
3266 if (is_sm_addr_only (rp->flags) && rp->sw_if_index == sw_if_index)
3278 init_nat_k (&kv, *address, is_sm_addr_only (rp->flags) ? 0 : rp->e_port,
3279 nm->outside_fib_index,
3280 is_sm_addr_only (rp->flags) ? 0 : rp->proto);
3281 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
3284 m = pool_elt_at_index (nm->static_mappings, value.value);
3290 rv = nat44_ei_del_static_mapping_internal (
3291 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto, rp->vrf_id,
3295 nat_elog_notice_X1 (nm, "nat44_ei_del_static_mapping returned %d",
3303 rv = nat44_ei_add_static_mapping_internal (
3304 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto, rp->vrf_id,
3305 ~0, rp->flags, rp->pool_addr, rp->tag);
3309 nat_elog_notice_X1 (nm, "nat44_ei_add_static_mapping returned %d",
3315 static_always_inline uword
3316 nat44_ei_classify_inline_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
3317 vlib_frame_t *frame)
3319 u32 n_left_from, *from, *to_next;
3320 nat44_ei_classify_next_t next_index;
3321 nat44_ei_main_t *nm = &nat44_ei_main;
3322 nat44_ei_static_mapping_t *m;
3323 u32 next_in2out = 0, next_out2in = 0;
3325 from = vlib_frame_vector_args (frame);
3326 n_left_from = frame->n_vectors;
3327 next_index = node->cached_next_index;
3329 while (n_left_from > 0)
3333 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
3335 while (n_left_from > 0 && n_left_to_next > 0)
3339 u32 next0 = NAT44_EI_CLASSIFY_NEXT_IN2OUT;
3341 nat44_ei_address_t *ap;
3342 clib_bihash_kv_8_8_t kv0, value0;
3344 /* speculatively enqueue b0 to the current next frame */
3350 n_left_to_next -= 1;
3352 b0 = vlib_get_buffer (vm, bi0);
3353 ip0 = vlib_buffer_get_current (b0);
3355 vec_foreach (ap, nm->addresses)
3357 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
3359 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3364 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
3366 init_nat_k (&kv0, ip0->dst_address, 0, 0, 0);
3367 /* try to classify the fragment based on IP header alone */
3368 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external,
3371 m = pool_elt_at_index (nm->static_mappings, value0.value);
3372 if (m->local_addr.as_u32 != m->external_addr.as_u32)
3373 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3376 init_nat_k (&kv0, ip0->dst_address,
3377 vnet_buffer (b0)->ip.reass.l4_dst_port, 0,
3378 ip_proto_to_nat_proto (ip0->protocol));
3379 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external,
3382 m = pool_elt_at_index (nm->static_mappings, value0.value);
3383 if (m->local_addr.as_u32 != m->external_addr.as_u32)
3384 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3389 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
3390 (b0->flags & VLIB_BUFFER_IS_TRACED)))
3392 nat44_ei_classify_trace_t *t =
3393 vlib_add_trace (vm, node, b0, sizeof (*t));
3395 t->next_in2out = next0 == NAT44_EI_CLASSIFY_NEXT_IN2OUT ? 1 : 0;
3398 next_in2out += next0 == NAT44_EI_CLASSIFY_NEXT_IN2OUT;
3399 next_out2in += next0 == NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3401 /* verify speculative enqueue, maybe switch current next frame */
3402 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
3403 n_left_to_next, bi0, next0);
3406 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3409 vlib_node_increment_counter (
3410 vm, node->node_index, NAT44_EI_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
3411 vlib_node_increment_counter (
3412 vm, node->node_index, NAT44_EI_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
3413 return frame->n_vectors;
3416 VLIB_NODE_FN (nat44_ei_classify_node)
3417 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
3419 return nat44_ei_classify_inline_fn (vm, node, frame);
3422 VLIB_REGISTER_NODE (nat44_ei_classify_node) = {
3423 .name = "nat44-ei-classify",
3424 .vector_size = sizeof (u32),
3425 .format_trace = format_nat44_ei_classify_trace,
3426 .type = VLIB_NODE_TYPE_INTERNAL,
3427 .n_errors = ARRAY_LEN(nat44_ei_classify_error_strings),
3428 .error_strings = nat44_ei_classify_error_strings,
3429 .n_next_nodes = NAT44_EI_CLASSIFY_N_NEXT,
3431 [NAT44_EI_CLASSIFY_NEXT_IN2OUT] = "nat44-ei-in2out",
3432 [NAT44_EI_CLASSIFY_NEXT_OUT2IN] = "nat44-ei-out2in",
3433 [NAT44_EI_CLASSIFY_NEXT_DROP] = "error-drop",
3437 VLIB_NODE_FN (nat44_ei_handoff_classify_node)
3438 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
3440 return nat44_ei_classify_inline_fn (vm, node, frame);
3443 VLIB_REGISTER_NODE (nat44_ei_handoff_classify_node) = {
3444 .name = "nat44-ei-handoff-classify",
3445 .vector_size = sizeof (u32),
3446 .format_trace = format_nat44_ei_classify_trace,
3447 .type = VLIB_NODE_TYPE_INTERNAL,
3448 .n_errors = ARRAY_LEN(nat44_ei_classify_error_strings),
3449 .error_strings = nat44_ei_classify_error_strings,
3450 .n_next_nodes = NAT44_EI_CLASSIFY_N_NEXT,
3452 [NAT44_EI_CLASSIFY_NEXT_IN2OUT] = "nat44-ei-in2out-worker-handoff",
3453 [NAT44_EI_CLASSIFY_NEXT_OUT2IN] = "nat44-ei-out2in-worker-handoff",
3454 [NAT44_EI_CLASSIFY_NEXT_DROP] = "error-drop",
3459 * fd.io coding-style-patch-verification: ON
3462 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob